Solved: Hi JP,

saul alonso ramos · ‎05-08-2017

Hi,

I'm configuring a IPSEC IKEv2 VPN in the lab in order to test functionality and after looking for it a couple of days I cannot find how to remove an user from the VPN so he can not login again.

In order to create the user i follow this :

crypto key generate rsa general modulus 4096 exportable label user@example.com

!

!output shorted

!

crypto pki authenticate user@example.com
crypto pki enroll user@example.com

!

exit

show crypto pki server ca-server requests

crypto pki server ca-server grant 1

crypto pki export user@example.com pkcs12 usbflash0:/user.pfx password <password>

!

crypto key zeroize rsa user@example.com
no crypto pki trustpoint user@example.com

Connection is working fine but as i said i want to know the way to remove users.

Thanks in advance.

JP Miranda Z · ‎05-08-2017

Hi saul alonso ramos,

Sounds like you are trying to revoke a certificate so when i client tries to connect with a revoked cert the authentication will fail, if that is the case you can use the following command:

crypto pki server cs-label revoke certificate-serial-number

Example:

Device# crypto pki server mycs revoke 3

Revokes a certificate on the basis of its serial number.

certificate-serial-number --One of the following options:
- A string with a leading 0x, which is treated as a hexadecimal value
- A string with a leading 0 and no x, which is treated as octal
- All other strings, which are treated as decimal

You can also take a look to the following link:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-cfg-mng-cert-serv.html#GUID-EBB14F31-5117-4C7D-8ADF-D0108C690418

Hope this info helps!!

Rate if helps you!

-JP-

View solution in original post

JP Miranda Z · ‎05-08-2017

Hi saul alonso ramos,

Sounds like you are trying to revoke a certificate so when i client tries to connect with a revoked cert the authentication will fail, if that is the case you can use the following command:

crypto pki server cs-label revoke certificate-serial-number

Example:

Device# crypto pki server mycs revoke 3

Revokes a certificate on the basis of its serial number.

certificate-serial-number --One of the following options:
- A string with a leading 0x, which is treated as a hexadecimal value
- A string with a leading 0 and no x, which is treated as octal
- All other strings, which are treated as decimal

You can also take a look to the following link:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-cfg-mng-cert-serv.html#GUID-EBB14F31-5117-4C7D-8ADF-D0108C690418

Hope this info helps!!

Rate if helps you!

-JP-

saul alonso ramos · ‎05-10-2017

Hi JP,

Thanks for the answer but unfortunately after revoking it, clear crypto session and configure • crypto ikev2 disconnect-revoked-peers the computer is still able to connect.

This sound strange to me as if the certificate is revoked the client shouldn't be able to connect.

Thanks,

JP Miranda Z · ‎05-10-2017

Hi Saul,

Try getting the following debugs:

debug cry pki messages

debug cry pki transactions

Hope this info helps!!

Rate if helps you!

-JP-

saul alonso ramos · ‎05-11-2017

Hi JP,

Here is the debug:

VPN#crypto pki server ca-server revoke 0x5

May 11 15:35:06.975: CRYPTO_CS: Current crl loaded in memory..
SEQ(623)
SEQ(89)
SEQ(13)
OID(9):SHA Signature 1.2.840.113549.1.1.5
NULL
END
SEQ(20)
SET(18)
SEQ(16)
OID(3):Common Name 2.5.4.3
PRT(9):ca-server
END
END
END
UTC(13):170511150505Z
UTC(13):170511210505Z
SEQ(20)
SEQ(18)
INT(1):4
UTC(13):170511150505Z
END
END
END
SEQ(13)
OID(9):SHA Signature 1.2.840.113549.1.1.5
NULL
END
BIT(512<-0>):
00 B0 41 48 9E 71 2A A5 C7 74 25 D2 2E 0B 4D 4F
07 5B 4A A0 98 43 66 1C 2E 4D 8A FA 8D AC CF 86
12 D7 A6 D0 09 D0 87 CD D0 8D 3A 46 EA 8C 11 02
05 71 9F 10 C8 B6 0E D5 41 D6 A1 DD 75 EF 0F 4B
C0 7D 43 63 45 44 E4 2E F3 61 3F F3 60 BD 19 BA
EF F9 18 96 84 7D 2B 1E 0E 48 51 AA D7 B9 6F 5C
07 3A 3C 23 46 04 A6 B6 A4 B7 B9 C9 66 45 D7 7A
B5 10 FA D7 9B 6C CC 01 D4 D9 E5 0C 88 77 36 16
5C 6E 57 7A 68 56 DE 7D 8B FD 42 4D 95 16 91 5F
6D 4A 23 EB F8 80 2B 57 E4 2E 0F 73 DD
% Certificate 05 succesfully revoked.
VPN#DC AE 81
7B 8D 85 87 49 DE B2 6D 20 8B 60 CD 00 5C 5B 0C
AA BA CC 6D 5C 3A 27 3C CD A0 C7 3D CD 8D EB CB
B5 90 6D C6 62 4E 45 9B D0 59 26 9E 00 BA 6F EE
76 CA 8A 86 84 DF 55 A0 D5 4A 07 A1 1E D6 CA 85
02 0F DE 30 7A 5E 48 09 DD 50 6F BE E9 B4 11 F1
90 58 B4 5B F7 80 52 B2 A5 04 57 6E 6A D7 CC 28
90 51 6E 6C B0 BC CF A3 A1 61 32 4C 45 4D C6 0B
85 5B B7 2B BF CA 1E 8B 9D 69 48 B6 1D 8B AA 66
AE 17 DF 52 BB C3 00 5A E4 A9 DF F8 48 97 92 FD
8E FD C1 04 80 DC 79 70 8A 5A 5F 0A AE 84 63 5F
3F 2A A6 0D 91 67 1B AE 7E DD B5 DC 8C 88 15 7E
5E 77 6F D9 3D DF B1 FF FB 6B AB E0 5A FB 43 4F
22 BD EF 6B F9 A7 B9 16 5A 08 7A C0 C7 9D 7F 63
C5 B9 0B 7D 35 01 5D 41 42 C6 C1 DF 5F FF 25 B0
43 B7 CC 42 5C 56 19 43 23 19 F9 C2 66 92 C6 0B
53 95 9E 37 84 D5 70 CD E0 02 EB A4 ED 9E 16 B6
1C F3 4E 87 07 D0 40 63 D0 AB E8 51 AB 0D 4B AA
BC 6F 88 8C E5 31 74 19 87 7F 9A 05 3D FF 0A 5E
1F 0B 97 F6 BD 49 1C B7 D0 A2 13 77 85 80 4D DD
EE 20 A0 E9 87 EE 16 66 34 3B F6 AE EB 1B 6D AA
B9 32 E5 70 D9 A7 E3 AA 98 4B D8 9F 9B 6A C2 34
1F D2 2A 2B F7 BF 73 AE 90 17 63 01 77 33 10 9E
38
END

May 11 15:35:09.359: CRYPTO_CS: updated crl in memory ..
SEQ(643)
SEQ(109)
SEQ(13)
OID(9):SHA Signature 1.2.840.113549.1.1.5
NULL
END
SEQ(20)
SET(18)
SEQ(16)
OID(3):Common Name 2.5.4.3
PRT(9):ca-server
END
END
END
UTC(13):170511153506Z
UTC(13):170511213506Z
SEQ(40)
SEQ(18)
INT(1):4
UTC(13):170511150505Z
END
SEQ(18)
INT(1):5
UTC(13):170511153506Z
END
END
END
SEQ(13)
OID(9):SHA Signature 1.2.840.113549.1.1.5
NULL
END
BIT(512<-0>):
00 A9 3B 05 2A 36 63 D9 F3 A6 6C 7D 08 7D 77 52
C0 C5 E1 0F 43 52 27 A1 A9 11 B5 49 C6 6A 77 BB
64 8B D8 62 62 B1 18 E9 A8 EB 6B 57 A9 FC B5 D6
75 65 43 BF 23 B9 9D 09 24 68 EF BB 96 73 09 4F
80 4B 45 80 01 54 FC 24 E0 D5 84 01 99 57 A9 7A
77 B0 C6 EF F4 55 F7 BE 94 81 10 20 20 D7 70 A0
35 B9 2A 4C 60 89 B5 9D AB 1E 0C A2 2E C3 71 5C
0F FA FB A2 B2 0A FC 11 38 FF 6E 5F 6B 46 E3 06
76 7F 07 41 4B DD 9F CA 68 69 19 DE E6 DE 11 E4
49 0F 6F 4D 69 D0 E2 86 7E 90 08 5C 18 61 49 67
51 D9 A4 8F C2 ED A4 FD 87 F3 4D 76 9B C0 9D A1
13 C9 F3 6F 4E A2 84 B2 A8 D2 07 64 99 19 70 A5
4D 02 A9 CA 1D 46 BC 0F 4B D1 85 5D A4 1C C4 70
F3 B9 B5 E0 77 A7 07 24 04 38 E5 F1 DB E0 EB 18
70 D8 9A 7A 41 FC 57 83 BB E7 62 1C 6B C1 51 4D
2C FA 69 B7 E7 E1 6A A1 AD 3A FB 47 09 21 23 20
86 AA 1E 1E 3E 6D 0A D8 2C F2 33 BA 16 BD 19 11
E4 CB 2D 5B A8 32 9F 58 7A 0C 91 03 39 4F BC 2B
1F 84 36 68 FA 96 36 A2 8E D8 6C 17 C6 98 4C 52
1F 6B BA 21 B6 D3 58 DC 45 99 FC F1 98 65 02 DD
11 C6 F2 FB 78 8A 8A 49 C6 90 D3 2A FD 4B 0B 0D
08 F9 31 D8 FE 74 BE 13 1A 58 04 C5 6B DF 17 9A
E0 98 43 EA DF 2D CA 55 3E DA 1F 36 9E DA 5E CE
63 22 DD 71 0A 85 6F 32 E0 45 F4 E9 90 F7 AC EE
E0 69 DD 7E 64 57 F8 1B 57 97 BC 91 F8 BF 19 69
08 EF 32 9E 9E 9D AB BC D1 68 D2 77 12 07 23 D7
24 9F 16 FC AA 04 F9 0C 3F B5 5C 3A 44 8D 6F 79
00 DC 67 75 8F 71 E4 A4 42 8D 75 11 3B DF 8F 9C
B5 E0 4F 4D 65 78 44 C3 1E A7 97 C1 BC BD 6F 33
EB 89 DE 95 80 0B A3 16 16 CD 36 DB 25 9F 5D 93
F3 68 51 B6 98 50 12 5E A1 FC 94 16 DF 3B FB 38
F6 C4 21 FD 11 55 2E 9E 1B 71 8C 6F F2 0A FD BC
66
END

VPN#clear crypto session
VPN#
May 11 15:35:36.227: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
May 11 15:35:36.247: CRYPTO_PKI: Initializing renewal timers
May 11 15:35:36.247: PKI:get_cert router 0x10 (expired=0):
VPN#
VPN#
VPN#
CRYPTO_PKI: found no hash match
May 11 15:35:50.895: CRYPTO_PKI: (A0009) Session started - identity not specified
May 11 15:35:51.739: CRYPTO_PKI: locked trustpoint router, refcount is 1
May 11 15:35:51.739: CRYPTO_PKI: Identity bound (router) for session A0009
May 11 15:35:51.739: CRYPTO_PKI: Added x509 peer certificate - (1297) bytes
May 11 15:35:51.743: CRYPTO_PKI: Added x509 peer certificate - (1290) bytes
May 11 15:35:51.743: CRYPTO_PKI: create new ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 7
May 11 15:35:51.743: CRYPTO_PKI: (A0009)validation path has 1 certs

May 11 15:35:51.743: CRYPTO_PKI: Found a issuer match
May 11 15:35:51.743: CRYPTO_PKI: (A0009) Using router to validate certificate
May 11 15:35:51.743: CRYPTO_PKI: Added 1 certs to trusted chain.
May 11 15:35:51.743: CRYPTO_PKI: Prepare session revocation service providers
May 11 15:35:51.743: CRYPTO_PKI: Deleting cached key having key id 34
May 11 15:35:51.743: CRYPTO_PKI: Attempting to insert the peer's public key into cache
May 11 15:35:51.743: CRYPTO_PKI:Peer's public inserted successfully with key id 35
May 11 15:35:51.775: CRYPTO_PKI: Expiring peer's cached key with key id 35
May 11 15:35:51.775: CRYPTO_PKI: (A0009) Starting CRL revocation check
May 11 15:35:51.775: CRYPTO_PKI: Deleting cached key having key id 35
May 11 15:35:51.775: CRYPTO_PKI: Attempting to insert the peer's public key into cache
May 11 15:35:51.775: CRYPTO_PKI:Peer's public inserted successfully with key id 36
May 11 15:35:51.803: CRYPTO_PKI: Expiring peer's cached key with key id 36
May 11 15:35:51.803: CRYPTO_PKI: Revocation check is complete, 0
May 11 15:35:51.803: CRYPTO_PKI: Revocation status = 0
May 11 15:35:51.803: CRYPTO_PKI: Remove session revocation service providers
May 11 15:35:51.803: CRYPTO_PKI: Remove session revocation service providers
May 11 15:35:51.803: CRYPTO_PKI: (A0009) Certificate validated
May 11 15:35:51.803: CRYPTO_PKI: Populate AAA auth data
May 11 15:35:51.803: CRYPTO_PKI: Unable to get configured attribute for primary AAA list authorization.
May 11 15:35:51.803: CRYPTO_PKI: (A0009)chain cert was anchored to trustpoint router, and chain validation result was: CRYPTO_VALID_CERT
May 11 15:35:51.803: CRYPTO_PKI: destroy ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 7
May 11 15:35:51.803: CRYPTO_PKI: (A0009) Validation TP is router
May 11 15:35:51.859: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
May 11 15:35:51.863: CRYPTO_PKI: Initializing renewal timers
May 11 15:35:51.863: PKI:get_cert router 0x10 (expired=0):
May 11 15:35:54.239: CRYPTO_PKI: Rcvd request to end PKI session A0009.
May 11 15:35:54.239: CRYPTO_PKI: PKI session A0009 has ended. Freeing all resources.
May 11 15:35:54.239: CRYPTO_PKI: unlocked trustpoint router, refcount is 0
May 11 15:35:54.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
VPN#

Thanks for the time you're taking to help me.

saul alonso ramos · ‎05-15-2017

Hi JP,

Finally i manage to deauthenticate users following this steps:

crypto pki server ca-server revoke cert_serial_number
clear crypto pki crl

Next time user try to connect its not allowed and this log is showed in the router:

May 15 14:21:56.851: %PKI-6-PKI_CRL_DOWNLOADED: CRL download notification sent for Issuer = cn=ca-server.
May 15 14:21:56.883: %PKI-3-CERTIFICATE_REVOKED: Certificate chain validation has failed. The certificate (SN: 05) is revoked

Thanks for your help.

Help needed to remove client connecting to IPSEC IKEv2 VPN using certificate